apiv2: add download endpoints for pcap variants, TLS keys, ETW logs, bulk archives

[wmetcalf]

Summary

The web UI file-download view has long exposed dump_decrypted.pcap, dump_mixed.pcap, pcap bundles, pcapng (with embedded keys), tlsdump keylog, and whole-directory archives, but the REST API only served dump.pcap plus a tasks_tlspcap endpoint hard-coded to polarproxy/tls.pcap — a path no longer produced since CAPE moved to SSLproxy + GoGoRoboCap. Programmatic consumers currently have no way to pull the decrypted / merged pcaps or any of the ETW-based telemetry that now drives process attribution.

This PR brings apiv2 to parity with the web UI and adds endpoints for several artifacts that have no download path at all today.

New endpoints

PCAP variants (gated by existing [taskpcap]):

endpoint	serves
tasks/get/decrypted_pcap/<id>/	dump_decrypted.pcap
tasks/get/mixed_pcap/<id>/	dump_mixed.pcap
tasks/get/sslproxy_pcap/<id>/	sslproxy/sslproxy.pcap
tasks/get/pcapzip/<id>/	zip of all 5 pcap variants
tasks/get/pcapng/<id>/	on-the-fly pcapng with TLS keys embedded

TLS key material (new [tasktlskeys] — gated separately since these decrypt captured flows):

endpoint	serves
tasks/get/tlskeys/<id>/	tlsdump/tlsdump.log (NSS keylog)
tasks/get/sslkeys/<id>/	aux/sslkeylogfile/sslkeys.log
tasks/get/masterkeys/<id>/	sslproxy/master_keys.log

ETW telemetry (new [tasketw]):

endpoint	serves
tasks/get/dns_etw/<id>/	aux/dns_etw.json (NDJSON)
tasks/get/network_etw/<id>/	aux/network_etw.json
tasks/get/wmi_etw/<id>/	aux/wmi_etw.json
tasks/get/amsi_etw/<id>/	zip of aux/amsi_etw/

Bulk directory archives (new [taskbulkzip] — AES-encrypted with ZIP_PWD for parity with tasks_dropped/tasks_payloadfiles/tasks_procdumpfiles):

endpoint	serves
tasks/get/logs_all/<id>/	logs/
tasks/get/network_all/<id>/	network/
tasks/get/memdump_all/<id>/	memory/
tasks/get/selfextracted_all/<id>/	selfextracted/

Fixes

• tasks_tlspcap now prefers dump_decrypted.pcap with a polarproxy/tls.pcap fallback so legacy callers keep working on modern analyses (previously returned 404 on every post-PolarProxy run).
• create_zip picks up a recursive os.walk (replacing os.listdir) and now preserves relative paths. Previously, bulk archives of nested directories — notably logs/filestore/<bucket>/* — silently dropped everything below the top level. Also gains an optional temp_file=True that routes the archive through a disk-backed NamedTemporaryFile for memory-friendly streaming of large folders (used by the new bulk endpoints).

Gating

PCAP variants reuse the existing [taskpcap] section on the theory that operators who opted into pcap access already implicitly trust the caller with packet-capture data. TLS keys, ETW JSON, and whole-directory archives get their own sections so they can be enabled/disabled independently of standard pcap access.

Implementation

Four shared helpers — _resolve_task_id, _serve_analysis_file, _zip_paths, _serve_folder_zip — factor the boilerplate so each new handler reduces to 4–8 lines of actual logic.

Test plan

• All 16 new endpoints return correct Content-Type and body (verified against live CAPE deployment on tasks with and without TLS decryption data)
• tasks_tlspcap now serves dump_decrypted.pcap on modern analyses (same SHA256 as tasks_decrypted_pcap) and falls back cleanly when nothing is present
• pcapng endpoint generates a valid PCAPNG v1.0 with TLS keys embedded (file /tmp/t.pcapng → pcapng capture file - version 1.0)
• AES-encrypted bulk zips round-trip with ZIP_PWD=infected (7z t -pinfected)
• Missing artifacts return clean JSON errors, not 500s
• Invalid task IDs return {"error": true, "error_value": "Task does not exist"}
• Recursive-walk fix archives nested content — verified logs_all on a task where logs/ has 22 files total, 12 top-level and 10 under logs/filestore/*/*; old code shipped only 12 + empty directory entry, new code ships all 22
• No regression in existing create_zip callers (flat dirs produce identical output)

[gemini-code-assist]

Code Review

This pull request introduces several new API endpoints for downloading analysis artifacts, such as decrypted PCAPs, ETW logs, and bulk ZIP archives of logs, memory dumps, and network data. It also refactors the download logic into reusable helper functions and enhances the create_zip utility to support recursive directory compression and disk-backed temporary files. Feedback highlights a potential race condition when generating PCAPNG files at a fixed path, suggests making TLP checks case-insensitive for better consistency, and recommends using a more accurate MIME type for PCAPNG downloads.

[gemini-code-assist]

Generating the PCAPNG file at a fixed path (dump.pcapng) within the analysis directory introduces a race condition. Concurrent API requests for the same task will attempt to write to the same file simultaneously, potentially leading to file corruption or serving incomplete data. Consider using a file lock or generating the PCAPNG to a unique temporary file for each request if it is not intended to be a persistent, shared artifact.

[gemini-code-assist]

The TLP check is case-sensitive and only accounts for "red" and "Red". It should be made case-insensitive to correctly handle "RED" as well, ensuring consistency with other TLP checks in the codebase.

Suggested change

	if check_tlp and check.get("tlp", "") in ("red", "Red"):
	if check_tlp and (check.get("tlp") or "").lower() == "red":

[gemini-code-assist]

The Content-Type for PCAPNG files should be application/x-pcapng or application/vnd.tcpdump.pcapng to accurately reflect the file format and ensure proper handling by client applications.

Suggested change

	return _serve_analysis_file(task_id, "dump.pcapng", "dump.pcapng",
	content_type="application/vnd.tcpdump.pcap")
	return _serve_analysis_file(task_id, "dump.pcapng", "dump.pcapng",
	content_type="application/x-pcapng")

[doomedraven]

that is a bit overflow, would be easier to do: get/pcap and get/pcap/<type>

[Copilot]

Pull request overview

Adds new apiv2 download endpoints to bring REST API artifact access closer to the web UI, including multiple PCAP variants, TLS key material, ETW telemetry, and bulk directory archives; also fixes/extends zip creation to support recursive folder zipping and disk-backed streaming.

Changes:

• Added shared download helpers and 16 new artifact endpoints in web/apiv2/views.py (pcap variants, pcapng, TLS keys, ETW, bulk zips) and updated tasks_tlspcap fallback behavior.
• Registered new routes for these endpoints in web/apiv2/urls.py.
• Enhanced create_zip() to walk folders recursively, preserve relative paths, and optionally use a NamedTemporaryFile for streaming large archives; added new API config gates.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File	Description
web/apiv2/views.py	Introduces helpers + new streaming download endpoints (pcaps, pcapng, TLS keys, ETW, bulk zips) and updates legacy TLS pcap behavior
web/apiv2/urls.py	Wires up new task download routes
lib/cuckoo/common/utils.py	Improves zip creation (recursive walk, relative paths, temp-file option) to support new bulk download endpoints
conf/default/api.conf.default	Adds new API gating sections for TLS keys, ETW logs, and bulk archive downloads

[Copilot]

_serve_folder_zip() assumes encrypted=True yields an AES-encrypted archive, but create_zip() only encrypts when pyzipper is available; otherwise it silently produces an unencrypted zip. If these endpoints must always be encrypted for safety, consider explicitly checking HAVE_PYZIPPER and returning a clear error when it's missing (or adjust the messaging/docs accordingly).

Suggested change

	Uses `create_zip` (password = ZIP_PWD) for parity with tasks_dropped /
	tasks_payloadfiles. Returns a Response with a JSON error if the folder
	doesn't exist or is empty."""
	srcdir = os.path.join(CUCKOO_ROOT, "storage", "analyses", "%s" % task_id, rel_folder)
	if not os.path.normpath(srcdir).startswith(ANALYSIS_BASE_PATH):
	return Response({"error": True, "error_value": "Invalid path"})
	if not path_exists(srcdir) or not os.listdir(srcdir):
	return Response({"error": True, "error_value": empty_msg or f"No {rel_folder} artifacts for task {task_id}"})
	mem_zip = create_zip(folder=srcdir, encrypted=True, temp_file=True)
	if mem_zip is False:
	return Response({"error": True, "error_value": "Can't create zip archive"})
	Uses AES encryption with `pyzipper` (password = ZIP_PWD). Returns a
	Response with a JSON error if the folder doesn't exist, is empty, or the
	archive cannot be created."""
	srcdir = os.path.join(CUCKOO_ROOT, "storage", "analyses", "%s" % task_id, rel_folder)
	if not os.path.normpath(srcdir).startswith(ANALYSIS_BASE_PATH):
	return Response({"error": True, "error_value": "Invalid path"})
	if not path_exists(srcdir) or not os.listdir(srcdir):
	return Response({"error": True, "error_value": empty_msg or f"No {rel_folder} artifacts for task {task_id}"})
	mem_zip = tempfile.NamedTemporaryFile(delete=True)
	written = 0
	try:
	with pyzipper.AESZipFile(mem_zip, "w", compression=pyzipper.ZIP_DEFLATED, encryption=pyzipper.WZ_AES) as zf:
	zf.setpassword(ZIP_PWD.encode())
	for root, _, files in os.walk(srcdir):
	for filename in files:
	filepath = os.path.join(root, filename)
	if path_exists(filepath) and os.path.getsize(filepath) > 0:
	arcname = os.path.relpath(filepath, srcdir)
	zf.write(filepath, arcname)
	written += 1
	except Exception:
	mem_zip.close()
	return Response({"error": True, "error_value": "Can't create zip archive"})
	if not written:
	mem_zip.close()
	return Response({"error": True, "error_value": empty_msg or f"No {rel_folder} artifacts for task {task_id}"})

[Copilot]

The TLP:RED guard only checks for "red"/"Red". Elsewhere the codebase treats "RED" as a possible value too, so tasks with tlp="RED" would bypass this check and allow downloads. Consider normalizing (e.g., tlp.lower() == "red") or including "RED" in the allowed list.

[Copilot]

The _resolve_task_id docstring says TLP:RED checks are skipped only for endpoints that need it ("none at present"), but tasks_tlspcap() calls it with check_tlp=False. Either update the docstring (and rationale) or enable the TLP check here for consistency with other download endpoints.

Suggested change

	the same key. TLP:RED checks are skipped only for endpoints that need
	to serve regardless (none at present)."""
	the same key. By default, TLP:RED tasks are blocked; callers may pass
	`check_tlp=False` for endpoints that intentionally need to bypass that
	restriction."""

[Copilot]

tasks_tlspcap is described as a back-compat endpoint, but it changes the downloaded filename from the previous *_tls.pcap to *_{dump_decrypted.pcap|tls.pcap}. Clients that key off the attachment name may break; consider keeping the historical filename (e.g., always <task>_tls.pcap) while serving the preferred content.

[Copilot]

The path validation uses normpath(...).startswith(ANALYSIS_BASE_PATH), which does not account for symlinks. If an analysis artifact path is a symlink to a file outside the analysis directory, this check would still pass and could expose host files. Consider validating with path_safe()/Path.resolve() and/or rejecting symlinks before opening the file.

[Copilot]

zf.write(file, path) will follow symlinks by default. If any archived entry is a symlink (e.g., introduced via extracted artifacts), this can zip and expose the link target outside the intended folder. Consider skipping symlinks and/or using follow_symlinks=False plus path_safe()/Path.resolve() validation for each file before archiving.

[Copilot]

The pcapng endpoint embeds TLS secrets into the capture, but it is currently gated only by [taskpcap]. This effectively bypasses the new [tasktlskeys] control and may leak decryption keys even when TLS key downloads are disabled. Consider requiring both gates (taskpcap + tasktlskeys) or moving pcapng behind a dedicated TLS-keys-related gate.

Suggested change

	return err
	return err
	task_id, err = _resolve_task_id(task_id, "tasktlskeys")
	if err:
	return err

[wmetcalf]

Force-pushed an updated version addressing both reviews:

@doomedraven — collapsed the 16 separate endpoints into four parameterised routes:

• tasks/get/pcap/<id>/<variant>/ — variant ∈ {decrypted, mixed, sslproxy, zip, pcapng}
• tasks/get/keys/<id>/<kind>/ — kind ∈ {tls, ssl, master}
• tasks/get/etw/<id>/<kind>/ — kind ∈ {dns, network, wmi, amsi}
• tasks/get/bulkzip/<id>/<folder>/ — folder ∈ {logs, network, memory, selfextracted}

Each handler validates the parameter against a static whitelist before touching the filesystem, so the URL param can't probe outside the analysis dir. The apiconf sections stay the same ([tasktlskeys], [tasketw], [taskbulkzip]). tasks/get/pcap/<id>/ (no variant) and tasks/get/tlspcap/<id>/ keep their existing shape for back-compat.

@gemini-code-assist — all three inline comments addressed:

1. pcapng generates into a per-request NamedTemporaryFile and unlinks the path as soon as the fd is handed to FileWrapper, so concurrent callers can't race on a shared path inside the analysis dir.
2. TLP check in _resolve_task_id normalises with .lower() so RED / Red / red all match.
3. pcapng Content-Type is now application/x-pcapng.

The commit message also drops the earlier mischaracterisation of PolarProxy — it's still a first-class TLS pipeline (its aux module writes polarproxy/tls.pcap and its processor mergecaps it into dump.pcap), the tasks_tlspcap fix just teaches the endpoint about dump_decrypted.pcap so the SSLproxy + decryptpcap pipeline is served too.

[gemini-code-assist]

Thank you for the update, @wmetcalf. The refactoring into parameterized routes and the implementation of the requested security and performance improvements (like the NamedTemporaryFile usage and TLP normalization) look excellent. The approach of using a static whitelist for URL parameters is a robust way to prevent directory traversal. This PR is now in a great state.